Session ID:

Session Classification:
Ben Rothke, CISSP CISM
Wyndham Worldwide Corp.
Building a Security Operations Center
(SOC)
TECH-203
Advanced
About me
Ben Rothke, CISSP, CISM, CISA
Manager - Information Security - Wyndham
Worldwide Corp.
All content in this presentation reflect my views
exclusively and not that of Wyndham Worldwide
Author - Computer Security: 20 Things Every
Employee Should Know (McGraw-Hill)
Write the Security Reading Room blog
https://365.rsaconference.com/blogs/securityreading
2
Agenda
Introduction
Need for a Security Operations Center (SOC)
Components of an effective SOC
Deciding to insource or outsource the SOC
Outsourced SOC = MSSP
SOC requirements
Q/A
3
Building a Security
Operations Center
(SOC)
4
Current information security challenges
Onslaught of security data from disparate
systems, platforms and applications
numerous point solutions (AV, firewalls, IDS/IPS,
ERP, access control, IdM, SSO, etc.)
millions / billions of messages daily
attacks becoming more frequent / sophisticated
regulatory compliance issues place increasing
burden on systems and network administrators
5
Why do you need a SOC?
because a firewall and IDS are not enough
nucleus of all information security operations
provides
continuous prevention
protection
detection
response capabilities against threats, remotely
exploitable vulnerabilities and real-time incidents on
your networks
works with CIRT to create comprehensive
infrastructure for managing security operations
6
SOC benefits
speed of response time
malware can spread throughout the Internet in
minutes or even seconds, potentially knocking out
your network or slowing traffic to a crawl
consequently, every second counts in identifying
these attacks and negating them before they can
cause damage
ability to recover from a DDoS attack in a
reasonable amount of time
7
Integrated SOC
8
IBM
SOC functions
Real-time monitoring / management
aggregate logs
aggregate data
coordinate response and remediation
Reporting
executives
auditors
security staff
Post-incident analysis
forensics
investigation
9
SOC planning
full audit of existing procedures, including
informal and ad-hoc
planning of location, resources, training
programs, etc.
plans change; dont try to prepare everything
ahead of time
sometimes best approach is not clear until you have
actually started
build it like aircraft carrier - change built into design
10
SIM/SIEM/SEM tools
Many SOC benefits come from good SIM tool
consolidates all data and analyzes it intelligently
provides visualization into environment
Choose SIM thats flexible and agile, plus:
track and escalate according to threat level
priority determination
real-time correlation
cross-device correlation
audit and compliance
11
Challenge of SIM & automation
A well-configured SIM can automate much of the
SOC process. But
The more advanced a control system is, so the
more crucial may be the contribution of the
human operator
Ironies of Automation - Lisanne Bainbridge
discusses ways in which automation of industrial processes may
expand rather than eliminate problems with the human operator
dont get caught in the hype that a SIM can
replace good SOC analysts
no secret that they cant
12
Which SOC?
Outsourced
Symantec, SecureWorks (Dell), Solutionary, WiPro,
Tata, CenturyLink (Savvis, Qwest), McAfee, Verizon
(Cybertrust / Ubizen), Orange, Integralis, Sprint, EDS,
AT&T, Unisys, VeriSign, BT Managed Security
Solutions (Counterpane), NetComSystems and more
Centralized group within enterprise
Corporate SOC
13
In-house SOC vs. outsourced MSSP
14
The Business Case for Managed Security Services Managed Security Services Providers vs. SIEM Product Solutions
http://www.solutionary.com/dms/solutionary/Files/whitepapers/MSSP_vs_SIEM.pdf
Define the SOC requirements
define specific needs for the SOC within the
organization
what specific tasks will be assigned to the SOC?
detecting external attacks, compliance monitoring,
checking for insider abuse, incident management, etc.
who will use the data collected and analyzed by
the SOC?
what are their requirements?
who will own and manage the SOC?
types of security events will be fed into the SOC
15
Internal SOC
16
Advantages Disadvantages
dedicated staff
knows environment better
than a third-party
solutions are generally
easier to customize
potential to be most
efficient
most likely to notice
correlations between
internal groups
logs stored locally
larger up-front investment
higher pressure to show
ROI quickly
higher potential for
collusion between analyst
and attacker
less likely to recognize
large-scale, subtle patterns
that include multiple groups
can be hard to find
competent SOC analysts
Internal SOC - Questions
1. does your staff have the competencies (skills
and knowledge) to manage a SOC?
2. how do you plan to assess if they really do
have those competencies?
3. are you willing to take the time to document all
of the SOC processes and procedures?
4. whos going to develop a training program?
5. whos going to design the physical SOC site?
6. can you hire and maintain adequate staff
levels?
17
Internal SOC success factors
1. Trained staff
2. good SOC management
3. adequate budget
4. good processes
5. integration into incident response
If your organization cant commit to these five factors,
do not build an internal SOC it will fail
will waste money and time and create false sense of security
if you need a SOC but cant commit to these
factors, strongly consider outsourcing
18
Outsourced SOC
19
Advantages Disadvantages
avoidcapitalexpenses itstheir
hardware&software
exposuretomultiplecustomersin
similarindustrysegment
oftencheaperthaninhouse
lesspotentialforcollusionbetween
monitoringteamandattacker
goodsecuritypeoplearedifficultto
find
unbiased
potentialtobeveryscalable&
flexible
expertiseinmonitoringandSIM
tools
SLA
contractorswillneverknowyour
environmentlikeinternalemployees
sendingjobsoutsidethe
organizationcanlowermorale
lack ofdedicatedstafftoasingle
client
lackofcapitalretention
riskofexternaldatamishandling
logdatanotalwaysarchived
log datastoredoffpremises
lackof customization
MSSPstandardizeservicestogain
economiesofscaleinproviding
securityservicestomyriadclients
Outsourced SOC general questions
1. Can I see your operations manual?
2. what is its reputation?
3. who are its customers?
4. does it already service customers in my
industry?
5. does it service customers my size?
6. how long have its customers been with it?
7. what is its cancellation/non-renew rate?
8. how do they protect data and what is the level
of security at their SOC?
20
Outsourced SOC staffing questions
1. what is the experience of its staff?
2. does it hire reformed hackers?
3. are background checks performed on all new
employees?
4. does it use contractors for any of its services?
5. are personnel held to strict confidentiality agreements?
6. what is the ratio of senior engineers to managed
clients?
7. what certifications are held by senior/junior staff?
8. what is its employee turnover rate?
21
Outsourced SOC stability questions
1. Is it stable?
2. does it have a viable business plan?
3. how long has it been in business?
4. positive signs of growth from major clients?
5. consistent large account wins / growing revenue?
6. what is its client turnover rate?
7. what are its revenue numbers?
If private and unwilling to share this information, ask for
percentages rather than actual numbers
8. will it provide documentation on its internal security
policies and procedures?
22
Outsourced SOC - sizing / costs
should provide services for less than in-house
solution
can spread out investment in analysts,
hardware, software, facilities over several clients
how many systems will be monitored?
how much bandwidth is needed?
potential tax savings
Convert variable costs (in-house) to fixed costs
(services)
23
Outsourced SOC performance metrics
must provide client with an interface providing
detailed information
services being delivered
how their security posture relates to overall industry
trends
provide multiple views into the organization
various technical, management and executive
reports
complete trouble ticket work logs and notes
24
Outsourced SOC SLAs
well-defined SLAs are critical
processes and time periods within which they will
respond to any security need.
SLA should include specific steps to be taken
procedures the company takes to assure that the
same system intrusions do not happen again
guarantee of protection against emerging threats
recovers losses in the event service doesnt deliver as
promised
commitments for initial device deployment, incident
response/protection, requests for security policy &
configuration changes, acknowledgement of requests
25
Outsourced SOC - Transitioning
ensure adequate knowledge transfer
create formal service level performance metrics
establish a baseline for all negotiated service levels
measure from the baseline, track against it, adjusting
as necessary.
create internal CIRT
identify key events and plan the response
hold regular transition & performance reviews
be flexible
schedule formal review to adjust SLAs after 6 months
of service operation and periodically thereafter
26
Outsourced SOC Termination
all outsourcing contracts must anticipate the
eventual termination at the end of the contract
plan for an orderly in-house transition or a
transition to another provider
develop an exit strategy
define key resources, assets and process
requirements for continued, effective delivery of the
services formerly provided by the outgoing provider
27
Outsourcing: dont just trust - verify
Call Saturday night 2AM
Whos answering? Do they sound competent?
Reports
Are they to your liking? Can they create complex
reports?
Set off a few alarms
Are they calling/alerting you in a timely manner?
True process for real-time threat analysis?
Or simply a glorified reporting portal that looks
impressive
28
Mike Rothman on MSSP
We have no illusions about the amount of effort required to
get a security management platform up and running, or what it
takes to keep one current and useful.
Many organizations have neither the time nor the resources to
implement technology to help automate some of these key
functions.
So they are trapped on the hamster wheel of pain, reacting
without sufficient visibility, but without time to invest in gaining
that much-needed visibility into threats without diving deep
into raw log files.
A suboptimal situation for sure, and one that usually triggers
discussions of managed services in the first place.
29
http://securosis.com/blog/managed-services-in-a-security-management-2.0-worldNovember 2011
SOC analysts
Good SOC analysts hard to find, hard to keep
Have combination of technical knowledge and
technical aptitude
hire experienced SOC analysts
pay them well
you get what you pay for
30
SOC analyst skill sets
31
O/S proficiency
network protocols
chain of custody issues
ethics
corporate policy
services
multiple hardware
platforms
attacks
directories
routers/switches/firewall
programming
forensics
databases
IDS
investigative processes
applications
and much more
SOC analyst - qualities
extremely curious
ability to find answers to difficult problems / situations
abstract thinker
can correlate IDS incidents and alerts in real-time
ethical
deals with low-level details while keeping big-
picture view of situation
can communicate to various groups that have
very different requirements
responds well to frustrating situations
32
SOC analyst burnout
SOC analysts can burnout
have a plan to address this
extensive training
bonuses
promotions
management opportunities
job rotation
33
SOC management
management and supervision of a SOC is a key
factor to ensure its efficiency
while analysts, other staff, hardware and
software are key elements, a SOCs ultimate
success is dependent on a competent SOC
manager.
inadequate/poor management has significant
consequences
from process performance decrements, to incidents
being missed or incorrectly handled
34
SOC processes and procedures
SOC heavily process-driven
processes work best when documented in
advance
usability and workflow critical
documentation
adequate time must be given to properly document
many different SOC functions
corporate networks and SOC are far too complex to
be supported in an ad-hoc manner
documentation makes all the difference
35
Sample SOC runbook table of contents
36
SOC metrics
measured by how quickly incidents are:
identified
addressed
handled
must be used judiciously
dont measure base performance of an analyst
simply on the number of events analyzed or
recommendations written
37
Additional references
38
Apply
39
Apply
obtain management commitment to a SOC
ensuring adequate staffing and budget
define your SOC requirements
decide to have SOC in-house or outsourced
in-house create detailed and customized processes
outsourced ensure their process meets your
requirements
create process to ensure SOC is effective and
providing security benefits to the firm
40
Ben Rothke, CISSP CISM
Manager Information Security
Wyndham Worldwide
Corporation
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.slideshare.net/benrothke
41